cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4088
Views
5
Helpful
3
Replies

FMC/FTD DNS inspection issues

deyster94
Level 5
Level 5

To all:

 

I am trying to configure FMC/FTD to use my clients internal DNS servers for guest wireless.  The interface for the guest wireless hangs off the FTD appliance and I have the policy built in FMC to allow DNS traffic from the guest wireless network inbound and vice versa.  However, in the one location, they must have DNS inspection for one NAT statement that requires DNS doctoring.  If I disable DNS inspection, they can reach the internal DNS servers.  Otherwise, it fails with the following drop-reason:

 

 (inspect-dns-invalid-pak) DNS Inspect invalid packet

 

I can't figure out how to get around this problem in FTD.  

 

TIA for any ideas,

 

Dan

3 Replies 3

nathan40
Level 1
Level 1

Did you ever figure this out? I am having trouble even disabling inspection of DNS. Did you use the flexconfig to disable inspection?

WeedyNaana2308
Level 1
Level 1

I am not sure if this still a problem, but have you looked at creating a FlexConfig to not inspect DNS traffic? If this what you are after?

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/fdm/fptd-fdm-config-guide-623/fptd-fdm-advanced.html#concept_53C22C306B57480D99DB905E90D5FDC9

We are looking at doing something similar for Cisco Umbrella as DNS traffic cannot be inspected due to encryption to the Cisco Umbrella Cloud.

 

Did the flexconfig resolve your encrypted DNS traffic to Umbrella issue?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: